PostScript: Danger Ahead?!

Andrei Costin

Affiliation - PhD student

http://eurecom.fr/

Hack In Paris 2012

whoami: in-between SW/HW hacker

1

Mifare Classic MFCUK

Hacking MFPs (for fun & profit) Holistic

Security

Interest

http://andreicostin.com/papers/

http://andreicostin.com/secadv/

http://andreicostin.com/http://code.google.com/p/mfcuk/http://andreicostin.com/papers/http://andreicostin.com/papers/http://andreicostin.com/papers/http://andreicostin.com/papers/http://andreicostin.com/secadv/

Hack In Paris 2012

Agenda

1. Quick refresher

2. What about PostScript?

3. So, what and how did you find?

4. Attacks in a nutshell

5. Solutions and conclusions

2

http://andreicostin.com/

Hack In Paris 2012

MFPs carry large abuse potential

3

http://andreicostin.com/

Hack In Paris 2012

MFP hacking goes back to the 1960’s

4

“Spies in the Xerox machine”

The “micro”-film camera, marked X

Patent drawing, 1967

Electronics/hardware hacking

http://andreicostin.com/http://books.google.com/books?id=KIEIX2X-na8C&lpg=PA68&ots=2im-APXCTH&dq="Spies in the Xerox Machine"&pg=PA68

Hack In Paris 2012

More recent news flashes for printer hacking

5

Oct 2010 – “Printer cartride bomb” A presumably bomb attack (i.e. physical security)

2010 – “US Chamber of Commerce printer hack”

The nature of hack/communication unclear

http://andreicostin.com/http://www.foxnews.com/scitech/2010/10/29/used-toner-cartridge-used-bombs-expert-says/http://www.foxnews.com/scitech/2010/10/29/used-toner-cartridge-used-bombs-expert-says/http://www.foxnews.com/scitech/2010/10/29/used-toner-cartridge-used-bombs-expert-says/http://www.foxnews.com/scitech/2010/10/29/used-toner-cartridge-used-bombs-expert-says/http://www.nytimes.com/2012/02/11/technology/electronic-security-a-worry-in-an-age-of-digital-espionage.html?pagewanted=all

Hack In Paris 2012

More recent news flashes for printer hacking

6

June 2012 – “Printer Virus” Most probably, side effect of a PC malware However, shows HOW UNPROTECTED are MFPs in most orgs

http://andreicostin.com/http://about-threats.trendmicro.com/RelatedThreats.aspx?language=us&name=Understanding+the+Printer+Virushttp://www.symantec.com/business/support/index?page=content&id=TECH190982

Hack In Paris 2012

Modern printer hacking goes back almost a decade

7

Broader & deeper printer hacking (irongeek)

Initial printer hacks (FX/pH)

2002 2006

Revived printer hacking interest

This talk focuses mainly on remote code execution inside MFPs/printers

2010-2012

http://andreicostin.com/

Hack In Paris 2012

In 2010 demo’d : mapping public MFPs

8

http://www.youtube.com/watch?v=t44GibiCoCM

http://andreicostin.com/http://www.youtube.com/watch?v=t44GibiCoCM

Hack In Paris 2012

… and generic MFP payload delivery using Word

9

http://www.youtube.com/watch?v=KrWFOo2RAnk (there are false claims on this discovery)

http://andreicostin.com/http://www.youtube.com/watch?v=KrWFOo2RAnkhttp://www.youtube.com/watch?v=njVv7J2azY8

Hack In Paris 2012

… and generic MFP payload delivery using Java

10

http://www.youtube.com/watch?v=JcfxvZml6-Y

http://andreicostin.com/http://www.youtube.com/watch?v=JcfxvZml6-Yhttp://www.youtube.com/watch?v=JcfxvZml6-Yhttp://www.youtube.com/watch?v=JcfxvZml6-Y

Hack In Paris 2012

Agenda

1. Quick refresher

2. What about PostScript?

3. So, what and how did you find?

4. Attacks in a nutshell

5. Solutions and conclusions

11

http://andreicostin.com/

Hack In Paris 2012

PostScript who? It’s Adobe’s PDF big brother

12

http://andreicostin.com/http://www.adobe.com/products/postscript/pdfs/psprintprime.pdfhttp://www.adobe.com/products/postscript/pdfs/psprintprime.pdf

Hack In Paris 2012

PS is build to handle complex processing tasks

13

Graphics & patterns Complex math Web servers

Ray-tracing, OpenGL Milling machine XML Parsers

http://andreicostin.com/

Hack In Paris 2012

Then, what exactly is PostScript?

14

PostScript IS NOT just a static data stream like

PostScript IS a

Dynamically typed & concatenative Stack-based Turing-complete Programming language What does it all mean? Exactly!

http://andreicostin.com/

Hack In Paris 2012

What happens when printing PS?

15

User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN

User Opens a PS file from email/hdd

PC-based PS interpreter processes it PS data stream executes on PC

In both cases, PS data stream IS A PS program

Program != static data

http://andreicostin.com/

Hack In Paris 2012

Demo1 “Programming language” aspect

16

Programming languages 101:

Control statements if/else loop while

Simplest DoS attack is an “infinite loop”

!% {} loop

http://andreicostin.com/

Hack In Paris 2012

Demo2 “Dynamically typed concatenative" aspect

17

You wonder why your smart IDS/IPS rules stopped working?

Here is why:

ps_dynamic_statement_construction_and_execution.ps Obfuscation at its best built-into the language!

Solution:

Bad news: Need dynamic execution sandbox Good news: It’s coming up – see sandbox slides below

http://andreicostin.com/

Hack In Paris 2012

Dynamic document forging/generation + SocEng

18

User computer User printout

http://andreicostin.com/

Hack In Paris 2012

Dynamic document forging/generation + SocEng

19

Computer side – SocEng bait Printer/MFP side – mal-PS

http://andreicostin.com/

Hack In Paris 2012

Where is PostScript? (Vendor-wise view)

20

Applications incorporating the PS interpreter

Applications/vendors producing the PS interpreter

The PS interpreter specifications and standards

http://andreicostin.com/http://partners.adobe.com/public/developer/ps/sdk/index_archive.htmlhttp://www.accesssoftek.com/http://office.microsoft.com/http://partners.adobe.com/public/developer/ps/sdk/index_archive.htmlhttp://partners.adobe.com/public/developer/ps/sdk/index_archive.htmlhttp://www.adobe.com/http://partners.adobe.com/public/developer/ps/sdk/index_archive.htmlhttp://office.microsoft.com/http://partners.adobe.com/public/developer/ps/sdk/index_archive.htmlhttp://partners.adobe.com/public/developer/ps/sdk/index_archive.htmlhttp://partners.adobe.com/public/developer/ps/sdk/index_archive.htmlhttp://www.ghostscript.com/http://www.ghostscript.com/http://www.ghostscript.com/http://www.cups.org/http://www.gimp.org/http://www.irfanview.com/http://partners.adobe.com/public/developer/ps/sdk/index_archive.htmlhttp://www.ghostscript.com/

Hack In Paris 2012

Where is PostScript? (Role-wise view)

21

http://andreicostin.com/http://www.data-connect.com/Print_Servers.htmhttp://www.ghostscript.com/http://partners.adobe.com/public/developer/ps/sdk/index_archive.htmlhttp://www.cups.org/http://partners.adobe.com/public/developer/ps/sdk/index_archive.htmlhttp://www.cups.org/

Hack In Paris 2012

Agenda

1. Quick refresher

2. What about PostScript?

3. What else was found?

4. Attacks in a nutshell

5. Solutions and conclusions

22

http://andreicostin.com/

Hack In Paris 2012

A PS-based firmware upload was required

23

http://andreicostin.com/

Hack In Paris 2012

This is too good to be true….

24

VxWorks API /vx***

Debug/QA API /QA***

Logging API /***EventLog

BillingMeters API /***meter***

Pump PWM /***pumppwm

RAMdisk API /***ramdisk

RAM API /***ram***

Flash API /***flash***

http://andreicostin.com/

Hack In Paris 2012

Memory dumping reveals computing secrets

25

SANS Security Predictions 2012/2013 - The Emerging Security Threat Memory Scraping Will Become More Common

http://andreicostin.com/http://www.sans.edu/research/security-laboratory/article/security-predict2011http://www.sans.edu/research/security-laboratory/article/security-predict2011http://www.sans.edu/research/security-laboratory/article/security-predict2011http://www.sans.edu/research/security-laboratory/article/security-predict2011

Hack In Paris 2012

Admin restriction fail to prevent memory dumping

26

http://andreicostin.com/

Hack In Paris 2012

Password setup is sniffed by the attacker

27

1) HTTP GET request – password clear text

2) HTTP reply

http://andreicostin.com/

Hack In Paris 2012

Basic auth password can be dumped

28

1) Authorization: Basic YWRtaW4yO…

2) HTTP/1.1 200 OK

http://andreicostin.com/

Hack In Paris 2012

HTTPS / IPsec secrets are “defaulty” & “leaky”

29

0x66306630663066306630663066302222

http://andreicostin.com/http://osdir.com/ml/network.freeswan.user/2003-08/msg00451.html

Hack In Paris 2012

Attacker has access to printed document details

30

http://andreicostin.com/

Hack In Paris 2012

Attacker has access to network topology – no-scan

31

http://andreicostin.com/

Hack In Paris 2012

Attacker has access to BSD-style sockets…

32

Two-way BSD-style sockets communication

http://andreicostin.com/

Hack In Paris 2012

Analyzed MFP cannot protect effectively

33

Privilege level separation

Secure password setup

Secure (basic) auth

HTTPS, IPSEC secrets protection

Network topology protection

In-memory document protection

Restrict sockets on unprivileged modules

Protection measures Fail / warn / ok

http://andreicostin.com/

Hack In Paris 2012

Plenty of Xerox printers share affected PS firmware update mechanism

34

http://andreicostin.com/

Hack In Paris 2012

PSYkit – source code release time

35

http://andreicostin.com/

Hack In Paris 2012

Agenda

1. Quick refresher

2. What about PostScript?

3. So, what and how did you find?

4. Attacks in a nutshell

5. Solutions and conclusions

36

http://andreicostin.com/

Hack In Paris 2012

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 – SocEng Stage 2 - Printing Stage 3 – Exploiting/spying

Print

attachment

Print

from

web

Malware exploits

internal netw. or

extracts data

Spool

malicious

byte

stream

http://andreicostin.com/

Hack In Paris 2012

Agenda

1. Quick refresher

2. What about PostScript?

3. So, what and how did you find?

4. Attacks in a nutshell

5. What’s next, solutions, conclusions

38

http://andreicostin.com/

Hack In Paris 2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PS/PJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

http://andreicostin.com/

Hack In Paris 2012

Protocol-wise mitigation solution PostScript/PJL sandbox

40

Secure PostScript Execution/Interpreter Sandbox Set of online/offline tools for analysis & reporting Wepawet-like, but for PostScript related data Subscribe for updates: postscript-sec@andreicostin.com

http://andreicostin.com/mailto:postscript-sec@andreicostin.commailto:postscript-sec@andreicostin.commailto:postscript-sec@andreicostin.com

Hack In Paris 2012

What’s next? PS + MSF + FS + Sockets = PWN!

41

http://andreicostin.com/

Hack In Paris 2012

Solutions

42

Admins • Disable PS processing on printers • Route print-jobs thru sandboxed print-servers • Replace PS drivers with PCL ones (well…) • Disable Language Operator Authorization • Look for security bulletins and patch • Sandbox printers in your network • Include MFPs in security audit lifecycle

Users • Do not print from untrusted sources • Be suspicious on PostScript files

Vendors • Create realistic MFP threat models • Do not enable/expose super-APIs

Actor Suggested actions

http://andreicostin.com/video & code/28c3_video9_ps_SOLUTION_language_operator_authorization_disable.avi

Hack In Paris 2012

Acknowledgements

43

The Xerox-related PostScript work & research done under support of

http://andreicostin.com/http://srlabs.de/

Hack In Paris 2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

http://andreicostin.com/http://eurecom.fr/

Hack In Paris 2012

Thanks/resources

45

Personal thanks

Igor Marinescu, MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses, active mitigation

www.tinaja.com Insanely large free postscript resources dir

www.anastigmatix.net Very good postscript resources

www.acumentraining.com Very good postscript resources

http://andreicostin.com/https://picasaweb.google.com/igor.marinescuhttps://picasaweb.google.com/igor.marinescuhttp://www.xerox.com/securityhttp://www.tinaja.com/post01.asphttp://www.anastigmatix.net/postscript/resource.htmlhttp://www.acumentraining.com/resources.html

Hack In Paris 2012

Take aways

46

Questions? Andrei Costin andrei@andreicostin.com http://andreicostin.com/papers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation, strong credentials, and continuous vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check www.youtube.com/user/zveriu Join: postscript-sec@andreicostin.com

http://andreicostin.com/mailto:andrei@andreicostin.comhttp://andreicostin.com/papershttp://www.youtube.com/user/zveriumailto:postscript-sec@andreicostin.commailto:postscript-sec@andreicostin.commailto:postscript-sec@andreicostin.com